-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
providers/linux: Fix linux Capabilities #196
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:bug | ||
linux: fix linux capabilities | ||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -83,40 +83,36 @@ func capabilityName(num int) string { | |
return strconv.Itoa(num) | ||
} | ||
|
||
func readCapabilities(content []byte) (*types.CapabilityInfo, error) { | ||
var cap types.CapabilityInfo | ||
|
||
err := parseKeyValue(content, ':', func(key, value []byte) error { | ||
func decodeCapabilityLine(content string, capInfo *types.CapabilityInfo) error { | ||
return parseKeyValue([]byte(content), ':', func(key, value []byte) error { | ||
var err error | ||
switch string(key) { | ||
case "CapInh": | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. although this code was already like that, I debate inside me if it would add more value having all Cap* strings defined as constants. Feel free to ignore There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ack, that makes sense, I was aiming to be conservative and using what's already there though. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I made a little snippet that gets all of the CAPs if you think it might be helpful here package main
import (
"fmt"
"go/constant"
"go/types"
"os"
// "golang.org/x/sys/unix"
"golang.org/x/tools/go/packages"
)
func main() {
cfg := &packages.Config{Mode: packages.NeedTypes}
pkgs, err := packages.Load(cfg, "golang.org/x/sys/unix")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
caps := map[string]uint64{}
for _, pkg := range pkgs {
scope := pkg.Types.Scope()
for _, t := range scope.Names() {
if len(t) > 4 && t[0:4] == "CAP_" {
t_v, err := types.Eval(pkg.Fset, pkg.Types, scope.Pos(), t)
if err == nil {
if flagbits, ok := constant.Uint64Val(t_v.Value); ok {
caps[t] = flagbits
}
}
}
}
}
for key, val := range caps {
fmt.Printf("%v: %v\n", key, val)
}
} |
||
cap.Inheritable, err = decodeBitMap(string(value), capabilityName) | ||
capInfo.Inheritable, err = decodeBitMap(string(value), capabilityName) | ||
if err != nil { | ||
return err | ||
} | ||
case "CapPrm": | ||
cap.Permitted, err = decodeBitMap(string(value), capabilityName) | ||
capInfo.Permitted, err = decodeBitMap(string(value), capabilityName) | ||
if err != nil { | ||
return err | ||
} | ||
case "CapEff": | ||
cap.Effective, err = decodeBitMap(string(value), capabilityName) | ||
capInfo.Effective, err = decodeBitMap(string(value), capabilityName) | ||
if err != nil { | ||
return err | ||
} | ||
case "CapBnd": | ||
cap.Bounding, err = decodeBitMap(string(value), capabilityName) | ||
capInfo.Bounding, err = decodeBitMap(string(value), capabilityName) | ||
if err != nil { | ||
return err | ||
} | ||
case "CapAmb": | ||
cap.Ambient, err = decodeBitMap(string(value), capabilityName) | ||
capInfo.Ambient, err = decodeBitMap(string(value), capabilityName) | ||
if err != nil { | ||
return err | ||
} | ||
} | ||
return nil | ||
}) | ||
|
||
return &cap, err | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,6 +18,7 @@ | |
package linux | ||
|
||
import ( | ||
"bufio" | ||
"bytes" | ||
"io/ioutil" | ||
"os" | ||
|
@@ -213,13 +214,29 @@ func (p *process) Seccomp() (*types.SeccompInfo, error) { | |
return readSeccompFields(content) | ||
} | ||
|
||
// Returns error if at least one capability errored out, while still | ||
// returning the successful ones | ||
func (p *process) Capabilities() (*types.CapabilityInfo, error) { | ||
content, err := ioutil.ReadFile(p.path("status")) | ||
var gotErr error | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Recommend moving the declaration down closer to first usage to minimize scope. |
||
f, err := os.OpenFile(p.path("status"), os.O_RDONLY, 0644) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think https://pkg.go.dev/os#Open would be more clear. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. absolutely, I'm new to Go so expect weirdness, I'll fix it. |
||
if err != nil { | ||
return nil, err | ||
} | ||
defer f.Close() | ||
scanner := bufio.NewScanner(bufio.NewReader(f)) | ||
var capInfo types.CapabilityInfo | ||
for scanner.Scan() { | ||
line := scanner.Text() | ||
if len(line) != 24 || line[:3] != "Cap" { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Without ensuring the length of the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Agreed, but it does check: |
||
continue | ||
} | ||
err = decodeCapabilityLine(line, &capInfo) | ||
if err != nil && gotErr == nil { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. maybe we should do a "multierror" here? As it captures the error only for the first capability that fails and we lose the reason for any subsequent similar ones. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. hmm I'm ok with just returning the first one though, as it's 99.999999% (number took out of my hat) the reason of the possible subsequent failures |
||
gotErr = err | ||
} | ||
} | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If the scanner encounters an error then There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Well spot, will fix it, many thanks |
||
return readCapabilities(content) | ||
return &capInfo, gotErr | ||
} | ||
|
||
func (p *process) User() (types.UserInfo, error) { | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -310,3 +310,25 @@ func TestProcesses(t *testing.T) { | |
info.StartTime) | ||
} | ||
} | ||
|
||
func TestCapabilities(t *testing.T) { | ||
if runtime.GOOS != "linux" { | ||
t.Skip("capabilities is linux only") | ||
} | ||
init, err := Process(1) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
v, ok := init.(types.Capabilities) | ||
if !ok { | ||
t.Fatal("capabilities is expected to be implemented for linux") | ||
} | ||
capInfo, err := v.Capabilities() | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
totalCaps := 41 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This seem brittle as it depends on the host operating system. The results could vary by kernel. Like if someone develops on an older OS then their tests might fail. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Agreed, I wasn't sure if this is worth or not |
||
assert.EqualValues(t, len(capInfo.Permitted), totalCaps) | ||
assert.EqualValues(t, len(capInfo.Effective), totalCaps) | ||
assert.EqualValues(t, len(capInfo.Bounding), totalCaps) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a reader of the release notes, I think I would prefer to have a few more details about what was broken.